Brokers need to adopt a proactive role in assessing commercial clients’ digital security as cyber insurance morphs into a hybrid of preventative risk management services and responsive claims investigation to tackle evolving cyber threats

Since Q4 last year, cyber insurance industry professionals have spotted a worrying new trend gaining traction, where data exfiltration – the theft of sensitive organisational information by an employee or third-party – is used in conjunction with ransomware to deliver a heavy hitting, bribery-based blow to commercial victims.

Typically motivated by financial gain, the type of information that is usually targeted by data exfiltration is “sensitive financial information, company secrets, intellectual property, [or] health information,” explained Ben Davis, insurance lead for emerging risks at Superscript.

Although data exfiltration, also known as a data breach, data leakage or data theft, has been a commonly used tactic within cyber crime for some time, it has only recently been merged with ransomware, as criminals look to develop more certain methods of receiving financial pay outs.

Dennis Toomey, global director for counter fraud analytics and insurance solutions at BAE Systems, demonstrated this perspective, saying: “Exfiltration of data, and subsequent extortion and publishing of sensitive data, has become the new normal over the course of 2020. BAE Systems actively tracks 10 different ransomware operators’ activity where stolen data is published, or threats to publish are made on a daily basis.”

Superscript’s Davis added: “Hackers need to look to different ways of getting the same pay out. Unfortunately with cyber crime, it evolves quite quickly because these attackers are very smart and they’re able to iterate and iterate on different strains of ransomware.

“What data exfiltration does is it just adds another string to their bow in order to coerce their victims into giving them money.

“They are able to get into their victim’s systems and then they’re able to encrypt the data. With data exfiltration, they’ll also steal the data, so they’ll make a copy, move it to their own systems, encrypt the copy that the customer has. The victim then will have to pay the ransom to decrypt the information, [which is] a standard ransomware attack.

“But, there’s been a wave of free decryption tools that have come out, so a lot more companies aren’t paying the ransom, so what the hackers have done now is say ‘ok, if you don’t pay the ransom, we are going to leak all this data and we’ll post it publicly so people can see everything’.”

Roger Francis, cyber claims director at CFC, described data exfiltration as a more “noisy” tactic than other cyber crime.

He explained: “What you’re doing with data exfiltration is you’re adding a step in where you’re doing internal reconnaissance, looking through the network, trying to find sensitive data, so it’s adding a step in that chain.

“Whereas before, I would employ some ransomware, I’m now combing the network. I’m trying to figure out where all the shares are, potentially start looking into people’s inboxes. I’m then also taking data off the network, so there’s the sheer size of the data.”

The key danger with data exfiltration is the reputational risk, which Toomey described as “tremendous”.

Davis agreed, explaining that the leak of organisational secrets or intellectual property is particularly dangerous, as this could lead to the creation of overseas “copycat” companies that use the stolen data to model their business on, but offer the related services at a more competitive price.

“When profits will be hurt is when copycat companies that can do it for a fraction of the price pop up around the world having the same trade secrets and ways of doing business,” he noted.

Toomey added: “Once sensitive data has been leaked, there is no assurance, even with payment, that the data has not been sold on elsewhere, and this may not become apparent for many years after the incident.”

The other difference with data exfiltration is the regulatory aspect, for example surrounding legal frameworks such as the General Data Protection Regulation (GDPR). If a company therefore experiences data ex-filtration, depending on its location, it may have to notify certain regulatory bodies and incur related legal costs.

Data exfiltration in action

LG

Ben Davis, insurance lead for emerging risks at Superscript, cited an example of data exfiltration that occurred in June, when ransomware operator Maze claimed to have encrypted and stolen information from manufacturer LG Electronics. A report by Bleeping Computer said that Maze had stolen 40GB of source code for LG’s devices, such as mobile phones and laptops, which Maze then threatened to publish.

“It could be incredibly damaging to companies if they have their trade secrets and really important data leaked to the public, and that’s why data exfiltration is now becoming more commonly associated with your standard ransomware deliveries,” Davis said.

Dennis Toomey, global director for counter fraud analytics and insurance solutions at BAE Systems, added that the “cyber gangs leading the charge in data exfiltration, making this a much more common part of a ransomware attack, [are] Maze, Sodinokibi and Nemty, to name a few”.

The broker as an educator

But how can brokers help their commercial clients with this new cyber threat? Lindsey Nelson, cyber development leader at CFC, said brokers have a “crucial role” to play with regards to communication and education, visibly demonstrating to clients the value of the proactive risk management services that often come hand-in-hand with modern cyber policies, as well as explaining the specific risks of data exfiltration.

“Brokers are the best positioned individuals to help companies realise the value of their intangible assets and [that they] are now outstripping their tangible ones,” she said. “A broker is a vital role in the chain to help send the message along in terms of cyber insurance working as a service.”

Davis agreed, explaining that brokers need to clearly define what is covered within a client’s policy, as well as what isn’t insured, in order to improve customer understanding.

However, Davis added that brokers should also be much more involved with assessing their client’s cyber security hygiene before cover is even placed with an insurer – this helps businesses get the best premium prices.

He said: “A lot of the time what brokers will do is speak to the insurance manager for the company, so you’ll speak to the risk manager or the CFO.

”But, what is really important is for the broker to speak to either the CTO or the head of engineering in these companies to really understand what cyber security procedures are in place and to help them increase their security score.

”Quite frankly, there are a number of times where their premium is higher because they haven’t had the right cyber security measures in place.

“Something [brokers] can do is vet [the client] before we even get them to an insurance company, saying ‘you need to have these things in order to get the best price possible and in order to get the best cover possible’ because if we present the company to our insurance carriers and they don’t have the right stuff in place, they could be charged a lot more. It’s all about making sure that our clients understand the view that the insurers are coming from.

“We really are the bridge between the client and the insurer. We help the client, make them as insurable as possible. At the end of the day, it helps them too. We hope they don’t have a claim in the first place. Part of our job is making sure that they have procedures in place so they don’t even have the claim and if they do, that’s when the insurance policy kicks in.”

Proactive insurer response

At its core, data exfiltration is a form of data breach, which means that it is covered within a standard cyber insurance policy. Davis added, however, that insureds should check that PR costs and managing reputational damage is included within policy wordings; insuring intellectual property typically requires a specific, separate policy too.

In terms of an insurer’s response to a cyber attack including data exfiltration, Nelson said this typically involves initial forensic work, root cause analysis, the provision of legal costs and support, as well as coverage for any loss of income as a result of the attack.

This includes “the reputational harm costs for lost customers or cancelled contracts by those customers of the business who no longer want to be associated with that business as a client”.

For Davis, proactive measure such as “access to employee training, penetration testing, different services that help increase the company’s cyber posture,” are vital.

Speed is also essential when “trying to ascertain the extent of the hack” he said. “What I see is that the hackers will normally still be within the systems and they can still monitor communications between people within that network.

”And so, you’ll have hackers monitoring communications from people saying, ‘oh we’ve been hacked’, and actually having discussions about the ransom that the hackers are demanding, which obviously makes it a one-sided bargaining attempt.

“It’s really important to understand the extent of the attack as quickly as possible and mobilise all the different professionals that need to be alerted to the attack as quickly as possible. That’s really what a cyber policy is – it’s not so much a traditional insurance policy, but more of a cyber risk management team that’s mobilised when there is an attack.”

silver bullet

No ‘silver bullet’ solutions

Although Dennis Toomey, global director for counter fraud analytics and insurance solutions at BAE Systems, said that there are no “silver bullet answers” when it comes to insurers’ approaches to tackling data exfiltration, he recommended that “insurers could ask for evidence of implementation of basic controls that would make attacks less likely to succeed”.

This could include, for example, “an assessment [or] accreditation by a third-party covering controls such as network segregation, patching, vulnerability management, user account life cycle management, end user training, two factor authentication, [data loss prevention] technology [and] offline backups”.